Tag Archive for 'Ziframer'

Today I came accross an Iframer called Ziframer. But first of all: What is an Iframer?

An Iframer is a script which is used to test stolen FTP accounts and inject malicious code into web pages. If an FTP account is valid, the Iframer automaticly puts an Drive-by infection on the specified html, php or asp files.

In this case the Iframer is a PHP-script which is used to spread a variant of ZeuS (aka Zbot/WSNPoem). The Iframer is called “Ziframer” and is sold for 30$. The PHP script can bee launched via command line or accessed using a web browser:

The script is very simple and just needs a list of FTP accounts which the script should check. As you can see on the screenshot above, the input file (ftp.txt) currently contains more then 18’000 stolen FTP credentials:

In the file “iframe.txt” the attacker can define the (JavaScript- or HTML-) code he would like to inject:

The cyberciminal has also the possibility to set a timeout, a file where the script will report invalid FTP credentials (bad.txt) and a file which will collect valid FTP credentials (good.txt). The screenshot below shows you the script while working through the list of stolen FTP credentials (ftp.txt):

Last but not least the attacker has to define where he wants to put the malicious code. He has the following options:

start page – Inject the code at the top of the pageend – Inject the code at the bottom of the pagechange – Replace a text or a string in the page with the malicious codecheck – Check if the malicious code is already on the page

Now the cybercriminal has just to press the “START” button to run the script. The Iframer script will now get through the FTP accounts and inject the malicious code which is defined in the file “iframe.txt” (see this one).

To make the use of the script more user friendly, the script has a readme file which describes the usage of the script in russian and english.

Content of readme.html (english):

This script is designed to test the FTP accounts on the validity, insert the code into files on the FTP.

[Features]
[*] Console and Web interface
[*] Stabilno runs under Windows and Nix BSD
[*] Check for validity ftp
[*] Paste the Code (at the beginning or end of file. Or a full overwrite the file to your text – defeys)
[*] Strange Komentirovanie iframe’ov
[*] Convenience logs [*] All akki (valid \ invalid) remain in the database.
[*] The names of files, to insert the code can be set regExp’om, such as index \ .(.*)[_ b] or [_b ](.*). php | html | asp | htm.
[*] It takes on all the folders on the site.
[*] Function update replaces your old code to the new (for example, changed the addresses fryma)

[Run]
[!] Recommend to use the console interface

Windows
Open a console (Start-> Run-> cmd)
Write to the path to php.exe for example c: \ php \ php.exe
then write the path to the script (zifr.php)
For example the so-c: \ php \ php.exe D: \ soft \ ziframer \ zifr.php
the script will run and display a certificate.

* NIX
Open the console / ssh
Write to php then write the path to the script (zifr.php)
For example the so-php / home / user / soft / ziframer / zifr.php
the script will run and display a certificate.

[Options]
-file -f Path to the file to your FTP
-code -c path to a file with code introduced
-inject -i Where vstavlt code three options
start – top of the page
end – in the bottom of the page
change – replace the text in the page code
-time -t Timeout for connecting to the FTP
-del -d With this option chyuzhye ifremy komentiruyutsya
-update -u Update your code with this option, the script ishet inserted your code and replaces it with a new
-good -g file where badat skladyvatsya working FTP
-bad -b file where badat skladyvatsya not working FTP
-hide -h If you enable this option, your code will not markerovatsya but you will not be able to use the function update
-restore -r Continue from the last FTP if you had not had time to do the whole list you can start from where you stopped

Conclusion

The Ziframe script is very simple an cheap. Even a n00b is able to use it.

It also demonstrates how efficiently and easily cybercriminals can distribute their malicious code to tremendous numbers of stolen FTP accounts. Automated mechanisms like this one shows how infection vectors are more and more shifted from E-mails with malicious attachments to Drive-by. The modular approach allows the cybercriminal to feed the script with different lists of compromised accounts that can be acquired on the underground market.